Competence Series Industry 4.0 = Security 4.0? 1 IT Security made in Europe
Industry 4.0 = Security 4.0? Industry 4.0 is the term used to describe the fourth industrial revolution, the future of industrial production based on the Internet of Things. Its characteristics include a high level of product individualisation and an ability to simultaneously take account of the requirements of dynamic (high-volume) production. Factories are turning into smart factories. Processes are being controlled and coordinated in real time across national and corporate boundaries. To succeed, it will require the standardisation and modularisation of the individual process steps and the programming of virtually editable models of these modules. Product individualisation enables companies in many industries to produce a large number of product variants at low cost, and in doing so, to satisfy individual customer needs. Companies can react flexibly to market developments, to rapid changes in product requirements or fluctuating commodity prices. This high level of adaptability is accompanied by an improved utilisation of production capacities, whilst the flexible management of resources serves to improve overall operating efficiency. More accurate calculations mean that less material is needed, which reduces inventory and manufacturing costs. Industry 4.0 means opportunities and challenges. Integrating the concept within an organisation means opening up the company s IT infrastructure, making it more susceptible to errors and more vulnerable to attack. Unfortunately, intruders will not stop trying to find new ways of breaking into business networks. Attacks specifically designed to penetrate industrial control systems present a threat to production facilities. Infected computers can be controlled remotely and their data stolen. Other linked or built-in devices such as microphones, keyboards and monitors can also be spied on. As the malware exploits unknown security holes, firewalls and network monitoring software are unable to detect it. Risk scenarios Scenario 1 Attackers install malicious programs and block all production and logistics operations. Production and capacity utilisation data are inspected, and application and system data manipulated. In a worst-case scenario, a misdirected machine could cause physical damage in its vicinity. Scenario 2 Commands to industrial robots are sent via embedded systems, which are usually connected to a programmable logic controller. The control components are linked to the Internet. An attacker can therefore read application 3
and system data, install data packets designed to sabotage the production lines, related systems or even the entire corporate IT infrastructure. Scenario 3 Social engineering: attackers exploit human characteristics, such as helpfulness, trust, curiosity or fear, to manipulate employees and gain access to data, to circumvent security precautions or to install malicious code on their computers. Their objective is to spend time undisturbed inside the company s network. Cases in Germany APT attack on a steel works Using a combination of social engineering (Scenario 3) and email data theft (spear phishing attack), intruders gained access to the office network of a steel works. From there, they worked their way into the production networks. They disabled control systems and parts of the plant. A blast furnace could not be shut down as normal and remained in an undefined state. The furnace suffered massive damage. Attack on production networks by Dragonfly Dragonfly is a group that has already attacked several dozen companies in Germany. One of their attack campaigns targeted manufacturers of industrial control system software. They inserted the malware program Havex into the installation files on the download servers. This allowed them to gather specific information about the industrial control systems sector, including details of the devices and systems used in production networks. The Federal Office for Information Security (BSI) expects the perpetrators to make use of this information in further attacks and is following the attack campaign together with Germany s Federal Criminal Police Office (BKA). The concept for IT Security 4.0 In order to gain long-term benefits from the huge opportunities offered by Industry 4.0, manufacturing companies must establish an effective and efficient security management system for their smart factories. Traditional protection strategies such as firewalls, antivirus software and network monitoring software only ever protect specific, small parts of the IT infrastructure from potential attacks. Attackers, on the other hand, focus on detecting new and unknown security holes. A broad-based protection strategy counteracts this. A wide array of risk identification modules correlates millions of security events and remains constantly on the lookout for new threat scenarios. The results of the correlations are then analysed by a team of experts with constantly updated specialist knowledge and skills. The analyses must be able to provide a readily available overview of the critical information that would quickly reveal the presence of a real attack. Component 1: excellent detection tools To protect every level of the IT infrastructure, automated risk identification modules need to be employed: Security Information & Event Management (SIEM): creating an alert in the event of security issues or potential risks through the collection, analysis and correlation of logs from various sources. Advanced Cyber Intrusion Detection (ACID): the detection of dangerous malware, anomalies and other risks in the network traffic using signature- and behaviour-based detection engines. Host-based Intrusion Detection System (HIDS): the collection, analysis and correlation of server and client logs as well as rapid alerting when attacks, misuse or errors are detected. The data integrity of the local system is checked and rootkits, concealed attacks, trojans and viruses are identified from changes to the system. Vulnerability Management and Assessment (VAS): a 360-degree overview of potential security flaws in operating systems and application software, and the monitoring for anomalies of all data flows on the network. Advanced Email Threat Detection (AETD): the deployment of next-generation sandbox technologies to detect advanced malware in emails.»» Software Compliance (SOCO): automated monitoring of adherence to compliance regulations and the immediate reporting of breaches to minimise compliance risks. 4 5
Component 2: state of the art correlation engine Signature-based intrusion detection is often ineffective on the types of attack being carried out today. Traffic is therefore not tested based on patterns but on behaviour within the IT system. Unusual behaviour becomes visible when all security events are correlated with each other on two levels: at the level of a risk identification module and at the level of cross-correlation of the information from different modules. Advanced correlation is also a necessary requirement for recognising the suspicious behaviours of concealed or as yet unknown forms of attack. To ensure the success of the Advanced Correlation Engine in detecting risks and warning of critical situations, rules, policies and self-taught algorithms and statistical models must be applied and updated regularly. Component 3: expert analysis and evaluation Automatically collected security information must be assessed by highly specialised experts. They analyse, evaluate and prioritise the results and, using the very latest information and knowledge, are responsible for the ongoing development of automated mechanisms. All the results should be seen as part of a big picture, and the analysis should take into account events in the particular IT infrastructure as well as the latest developments inside and outside the industry. Teams of experts must also act quickly to provide precise instructions on troubleshooting and they must constantly adapt all the policies and rules used by the risk identification modules and advanced correlation engines to identify and eliminate vulnerabilities and new types of attack without delay. The benefits of Managed Security Services The automated collection and analysis of security data, the correlation of all the information, the continuous tailoring of rules and models and the interpretation of the information collected requires time as well as personnel and financial resources. Many companies are not in a position to make such efforts over the long term in addition to their normal business operations. This is where the expertise and tools of an external specialist are worth looking at. RadarServices is the European market leader for proactive IT security monitoring and IT risk detection as a managed service. We offer businesses a complete package for implementing continuous security monitoring across their IT infrastructure. Companies who outsource their IT security services do not have to transfer security-related and therefore highly sensitive information to the outside. RadarServices provides a hardware appliance, including all modules and the Advanced Correlation Engine. This collects and analyses all automatically obtained information. The hardware appliance operates within the corporate network, making sure that no security-sensitive data ever physically leaves the company. RadarServices continuously configures and maintains all the modules. The rules governing risk detection and correlation are constantly updated. All important information, free from false positives and false negatives, is ultimately sent to the Risk & Security Cockpit. Reports and statistics are made available in the desired depth of detail. In urgent cases, alerts are sent via the Cockpit, via email and even as a push message to mobile phones. The internal IT security teams can contact the experts at any time via a messaging and feedback system. A built-in Business Process Risk View highlights those business processes that are most vulnerable to IT security threats, adding the finishing touch to this fully-featured and resource-saving solution. Component 4: information processing Intelligence on the latest IT security situation within the company should be presented centrally and in the form of detailed, easy-to-understand reports and statistics for both the internal IT security teams as well as for senior management. Information should focus on the most critical events to ensure that remedial work is targeted specifically at what matters. In urgent scenarios, an alert must be sent to defined recipients. 6 7
RadarServices is the European market leader for managed security services. In focus: the early detection of IT security risks. Data never leaves a client s company. The services combine (1) cutting-edge technology developed in Europe, (2) the work of security intelligence teams in Security Operations Centers (SOCs) globally and (3) documented processes and best practices. The result: Highly effective and efficient improvement of IT security and risk management, continuous IT security monitoring and an overview of security-related information throughout the entire corporation. RadarServices Zieglergasse 6 1070 Vienna Austria Phone: +43 (1) 929 12 71-0 Fax: +43 (1) 929 12 71-710 Email: sales@radarservices.com Web: www.radarservices.com RadarServices Germany Taunustor 1 60310 Frankfurt a. M. Phone: +49 (69) 2443424 655 Email: sales_germany@radarservices.com RadarServices Middle East A110-1, DSO HQ Building Dubai, VAE Phone: +971 (4) 501 5447 Email: sales_me@radarservices.com 2015 RadarServices Smart IT-Security GmbH. FN371019s, Commercial Court Vienna, Austria. All rights and changes reserved. RadarServices is a registered trademark of RadarServices Smart IT-Security GmbH. All other product or company names are trademarks or registered trademarks of the respective owners. Detecting Risk, Protecting Value 8